662
  • Nothing Chats, a rival to apps like Beeper and AirMessage, advertised itself as a secure platform for sending messages to iMessage users.
  • However, less than 24 hours after its launch, investigations into the app revealed that Nothing Chats logged every message in plain text and stored unencrypted data, including text messages, images, videos, and more, making it a significant privacy and security risk.
  • The company removed the app from the Play Store following these complaints, citing "several bugs" that need fixing.
top 50 comments
sorted by: hot top controversial new old
[-] Ghostalmedia@lemmy.world 259 points 1 year ago

Giving your iCloud credentials to a third party is already sketchy. It gives them the ability to read your messages, documents, health records, etc.

Nothing / Sunbird basically said “trust me bro, we’re super secure.” Then they did this right out of the gate.

What a bunch of morons.

[-] Beefytootz@lemmy.world 58 points 1 year ago

I wholeheartedly agree with you, but in today's world, that doesn't matter to most people. I work in banking and the amount of people who willingly give their whole ass banking information to third parties is insane to me. I'm not talking like just their debit card number or their account and routing numbers, like legitimately their online banking sign in info, and they don't see any potential risk at all

[-] NuXCOM_90Percent@lemmy.zip 40 points 1 year ago

It doesn't help that banks are normalizing this.

I recently began changing banks. To authorize a transfer from one to the other, my only option was to login via a popup. No place to specify account details just "log into your account to give us permissions". Fortunately the new bank is competent so I did it from that side, but it is still normalized insanity

[-] cdf12345@lemmy.world 23 points 1 year ago

What’s even worse is typically in the terms of those 3rd party sites, they say they can monitor your balances and transactions until you tell them to stop.

[-] kautau@lemmy.world 20 points 1 year ago* (last edited 1 year ago)

Because all the banks are invested in the company that manages bank logins as a service

https://en.wikipedia.org/wiki/Plaid_Inc.?wprov=sfti1

[-] pineapplelover@lemm.ee 5 points 1 year ago

Fuck plaid. I hate this

[-] Ghostalmedia@lemmy.world 30 points 1 year ago

IMHO, the big fuck up is on the business side of the fence. Their product’s success rides on Apple not sicking their giant legal team on them. They needed to play this carefully. AKA, they needed to live up to the security promises.

Now they’re in the press for being an iMessage security vulnerability, and security is something Apple spends a LOT of marketing money on.

Apple is going to want to protect that image, and I wouldn’t be surprised if they come for Sunbird in the coming weeks.

They played this fast and loose, and it will probably cost them.

[-] kautau@lemmy.world 11 points 1 year ago

Yeah very much this. Their way of running a bunch of Macs intercepting iCloud messages was already sketchy, so I was surprised Apple hadn’t come for them sooner. But now that it turns out everything was being stored unencrypted in plaintext? Apple’s legal team couldn’t be happier, they did their jobs for them.

[-] Ghostalmedia@lemmy.world 7 points 1 year ago

My guess is that they would care less about people who decide to sign up for this service, but they are going to care about the customers on the other end of the line. AKA, the people who are not tunneling through Sunbird, and don't know they're communicating with a compromised user.

[-] kautau@lemmy.world 6 points 1 year ago

That's definitely true, if they follow their “Apple is the most secure consumer electronics manufacturer” PR strategy, they will be intent to try to trace what accounts were communicating with whom, and alert said Apple users about potential data breaches. Tbh, while it fits their MO of being really good at PR, it’s also just generally a good thing. People should know if messages they sent that they thought were secure turned out not to be.

[-] AnActOfCreation@programming.dev 11 points 1 year ago* (last edited 1 year ago)

I used to use Privacy.com and Mint until I did some looking into Plaid. They present a login screen that looks like your bank and you assume they're doing some kind of OAuth. Nope they're just taking your full banking credentials and you have to hope they're safe. I think Plaid is a ticking time bomb. When it gets hacked a lot of people will be in trouble.

load more comments (3 replies)
[-] TheHobbyist@lemmy.zip 8 points 1 year ago* (last edited 1 year ago)

I think there is an importance nuance: it's not that most people don't care about privacy, it's that they don't realize that they in fact do.

If they ever get bitten in the ass caused by privacy issues, they are likely to share their outrage, justifiably. But yeah, most people don't realize how important privacy is or what a lack of privacy actually implies...

[-] Gamoc@lemmy.world 5 points 1 year ago

Hmm, tell me more about this...ass banking....

load more comments (1 replies)
load more comments (3 replies)
[-] flop_leash_973@lemmy.world 7 points 1 year ago* (last edited 1 year ago)

Yup, and in any sane world this sort of thing would sink Nothing as a viable and serious option for a phone OEM. If they are willing to get behind such garbage ideas what else are they doing that hasn't been dragged kicking and screaming into the light yet.

[-] fushuan@lemm.ee 5 points 1 year ago

health records

What? Why? Why would you ever trust apple with such private information?

[-] vox@sopuli.xyz 5 points 1 year ago

apple health/apple watch

load more comments (1 replies)
load more comments (9 replies)
[-] HonorIsDead@lemmy.world 116 points 1 year ago

This imploded so quickly I'm impressed

[-] Ghostalmedia@lemmy.world 50 points 1 year ago

I think they actually got more press for fucking it up than launching it.

[-] bus_factor@lemmy.world 20 points 1 year ago

Can confirm, I never heard of them before this post.

[-] Quexotic@infosec.pub 15 points 1 year ago* (last edited 1 year ago)

"That's nothing, hold my beer!"

-Elon Musk, probably

load more comments (2 replies)
[-] SeaJ@lemm.ee 88 points 1 year ago

What crackhead thought it would be a good idea to store all of that unencrypted?

[-] Ghostalmedia@lemmy.world 66 points 1 year ago

The same crackhead that thought it was a smart idea to build a business around giving iCloud credentials to a middle man.

load more comments (1 replies)
[-] kautau@lemmy.world 23 points 1 year ago

The company behind the chat software, so these guys

https://www.sunbirdapp.com/

[-] corsicanguppy@lemmy.ca 11 points 1 year ago

Are there plans for a desktop client?

Anybody with a browser is going to be able to use Sunbird. The messages will synchronize. A big challenge has been synchronizing without them storing the data but we got it right. The web app will synchronize with the Sunbird app. Bottom line... Got a browser? You will be able to use Sunbird.

They already can go to hell.

The frantic fumbling to find whichever bloody tab on which bloody window is making the chime is really something I can do without. And when I DO ignore it, I'm somehow at fault.

[-] kautau@lemmy.world 6 points 1 year ago

I mean they can mostly go to hell by stating

The Sunbird servers do not store user data promoting a safe, secure, and private messaging environment. With end-to-end encrypted, confidential messaging, Sunbird is fully secure and completely private.

And then literally storing unencrypted user data on their servers, doing the exact opposite of their claims.

This whole company/product comes off as a shitty cash grab from idiot techbros with little knowledge of software. Apple is going to eat them alive once the litigation starts.

[-] anon_8675309@lemmy.world 13 points 1 year ago

I mean it’s Carl Pei, right? He’s always done stuff to get attention his products one way or another.

[-] Ghostalmedia@lemmy.world 19 points 1 year ago

All Pei did was put a Nothing skin on Sunbird. It was Sunbird that didn’t encrypt the comms.

That said, Pei was so damn thirsty for marketing attention that Nothing obviously didn’t fully vet the security around Sunbird’s product.

load more comments (1 replies)
load more comments (1 replies)
[-] danielfgom@lemmy.world 60 points 1 year ago

This is one of the many reasons I don't like Nothing. They are willing to put users at risk just so they can sell a few more phones.

Let me tell you Nothings strategy:

  1. Make an extract clone of the iPhone and put some gimmick lights on it to get attention.

  2. Make some airpod clones but make them see through to again attract attention

  3. Try to get iMessage working on Nothing 2 (screw you if you're on Nothing 1, Apple style) to reinforce the impression you're using an iPhone.

  4. If successful, price the Nothing 3 even higher to make it seem premium even though it's nothing special at all.

  5. Bring features to the Nothing 3, that the Nothing 2 and Nothing 1 will never get, even though there is no reason not to give it to them too.

  6. Repeat for Nothing 5 and every other Nothing ever. And eventually reach iPhone pricing.

In short, they are using their users just to get popular, become like Apple and get rich. Only to screw you over and make future phones super expensive.

Much like One Plus did. First you position yourself as flagship killer, and once you get a loyal following and deals with mobile carriers then you push the price sky high and give your supporters the middle finger.

Anyone who buys Nothing is a fool.

[-] narc0tic_bird@lemm.ee 12 points 1 year ago
  1. Do some YouTube content as the CEO that makes you look like the nice underdog.
load more comments (3 replies)
[-] dingleberry@discuss.tchncs.de 9 points 1 year ago

Nothing is a clone of OnePlus... repeating the same strategy of OnePlus.. destined to the same fate as OnePlus.

load more comments (3 replies)
load more comments (9 replies)
[-] starman2112@sh.itjust.works 43 points 1 year ago

I don't even exist in the same world as the word "infosec" and even I shudder at the phrase "plain text"

load more comments (1 replies)
[-] generalpotato@lemmy.world 42 points 1 year ago* (last edited 1 year ago)

Really? Nobody did an arch review for this and figured this was going to be caught/uncovered/talked about day one?

[-] Ghostalmedia@lemmy.world 37 points 1 year ago

I imagine Nothing’s Infosec team must be terrible or non-existent. Any half decent infosec team would immediately raise red flags and pull in the legal dept as soon as they heard “let’s let our customers give their iCloud credentials to a small vendor we just hired.”

[-] corsicanguppy@lemmy.ca 23 points 1 year ago

Any half decent infosec team would immediately

... be over-ridden by a Chief Product Officer who says '[something something] for now' .

[-] JimVanDeventer@lemmy.world 36 points 1 year ago

This sounded like a disaster when it was first revealed they were basically relaying messages through some Macs they had lying around the office.

[-] pineapplelover@lemm.ee 25 points 1 year ago

Lesson learned. Cover up your tracks like Apple before you steal sensitive information.

[-] anon_8675309@lemmy.world 22 points 1 year ago

This is just fodder for the “android is insecure” crowd.

load more comments (1 replies)
[-] Kidplayer_666@lemm.ee 18 points 1 year ago

Só, sketchy idea, took around 2 days to be completely dismantled?

[-] CatTrickery@lemmy.world 16 points 1 year ago

I love how the marketing for this was absolutely everywhere. It wasn't anything new. It just tried and failed to reinvent the wheel that was matrix bridges.

load more comments (1 replies)
[-] 9thSun@midwest.social 16 points 1 year ago

Just watched a SomeOrdinaryGamers video about this a couple days ago. Muta gave Nothing too much credit saying the texts etc would probably be encrypted. But lol "plain text". They crazy for that.

[-] donut4ever@sh.itjust.works 15 points 1 year ago* (last edited 1 year ago)

LMAO, who would have thunk it? That was a very desperate attempt to make some sales. I noped it the second I learnt that they were using a mac mini somewhere to log people's iclouds. That was the most pathetic thing I have seen in a while.

load more comments (1 replies)
[-] Overlock@sopuli.xyz 11 points 1 year ago

There's Nothing to see here.

[-] woshang@lemmy.world 8 points 1 year ago* (last edited 1 year ago)
load more comments (4 replies)
[-] mo_lave@reddthat.com 7 points 1 year ago

Nothing pulls its iMessage app from the Play Store following privacy disaster

i.e. something pulled its iMessage app from the Play Store following privacy disaster

[-] SmoothIsFast@citizensgaming.com 6 points 1 year ago

Any open source way to relay imessage from your own Mac to an android if one was so inclined?

load more comments
view more: next ›
this post was submitted on 19 Nov 2023
662 points (97.7% liked)

Technology

60082 readers
3280 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS